The house leaks in the rain, and the boat meets the wind again
Disclaimer: * The tools in the article are for personal testing and research. Please delete them within 24 hours after downloading. Do not use them for commercial or illegal purposes.
The Apache Struts 2 2.3.x version prior to 2.3.32 and the Jakarta Multipart parser in version 2.5.x prior to 188.8.131.52 have security vulnerabilities that the program did not properly handle file uploads. An attacker can create a remote arbitrary code by constructing a Content-Type value in the HTTP request header. S2-046 and the S2-045 vulnerability belong to the same type and different vectors. If the user has upgraded the official patch after the previous S2-045 vulnerability exposure, this time will not be affected.
- The size of the uploaded file (specified by the Content-Length header) is greater than the maximum size allowed by Struts2 (2GB).
- The file name content constructs malicious OGNL content.
sh exploit-cd.sh http://xxx.com/action “whoami”
- Strictly filter the contents of Content-Type and filename. It is forbidden to use ognl expression related fields.
- If you are using a Jakarta based plugin, please upgrade to Apache Struts 2.3.32 or 184.108.40.206. (highly recommended)
[struts2-052 vulnerability] (http://thief.one/2017/09/06/1)
[struts2-046 vulnerability] (http://thief.one/2017/03/21/Struts2-046%E6%BC%8F%E6%B4%9E/)
[struts2_045 vulnerability] (http://thief.one/2017/03/07/Struts2-045%E6%BC%8F%E6%B4%9E/)
[struts2 vulnerability poc summary] (http://thief.one/2017/03/13/Struts2%E6%BC%8F%E6%B4%9EPOC%E6%B1%87%E6%80%BB/)